Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS ACM Private CA support #256

Merged
merged 33 commits into from
Feb 25, 2020
Merged

AWS ACM Private CA support #256

merged 33 commits into from
Feb 25, 2020

Conversation

ryan-lane
Copy link
Contributor

@ryan-lane ryan-lane commented Jan 28, 2020
edited
Loading

This change adds support for using ACM Private CA to provide an authenticated shim for issuing certificates for clients. Four endpoints are included, GET /v1/certificates/<ca>/<cn>, POST /v1/certificates/<ca>, GET /v1/cas and GET /v1/cas/<ca>. The GET certificate endpoint takes a certificate authority name (ca), and a common name argument (cn), generates a private key, CSR, and certificate for the given cn and returns a certificate, private_key and certificate_chain. The POST certificate endpoint takes a <ca> argument and a csr in the data body, and returns a certificate, and certificate chain issued for the CSR. Both endpoints accept a san argument (a URL param for GET, and a key/value in the POST body), which can be added as an extension. Both endpoints also accept a validity argument, which specify the number of days the certificate will be valid for. There's a setting to limit the max validity. The GET cas endpoint lists all configured CAs, and returns a certificate, certificate chain and a dictionary of tags for each CA. The GET ca endpoint returns certificate, certificate chain and a dictionary of tags for the specified ca.

This implementation support multiple CAs, defined in the ACM_PRIVATE_CAS setting, which is a comma delimited list of friendly names for the CAs. Settings for each CA are pulled from environment variables, postfixed with the friendly CA name, in all uppercase. e.g. ACM_PRIVATE_CAS='testca'; ACM_PRIVATE_CA_ARN_TESTCA='arn:...'

This implementation is just a pass-through, so each call will result in a certificate being generated, even if it's for the same CN with the same validity period. The idempotency token used in the ACM call is only effective for avoiding re-issuing certs within a short-period of time for the exact same CSR.

A simple cost-savings cache is included for the GET /v1/certificates/<ca>/<cn> endpoint, which will cache the csr/key/certificate in-memory, per-process. Locking is used between threads in the process to ensure that if a thread is issuing a certificate, other threads attempting to issue the same certificate will wait until the initial certificate issued, then will return the certificate from the cache.

@ryan-lane ryan-lane changed the title Basic proof of concept of using AWS ACM Private CA AWS ACM Private CA support Jan 30, 2020
@skiptomyliu
Copy link
Member

Looks good, just a few minor comments.

skiptomyliu
skiptomyliu previously approved these changes Feb 22, 2020
View reviewed changes
Copy link
Member

@skiptomyliu skiptomyliu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't wanna block. Minor follow up changes we can make later.

@ryan-lane ryan-lane merged commit 7bd6cd8 into master Feb 25, 2020
@ryan-lane ryan-lane deleted the private-ca branch February 25, 2020 01:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skiptomyliu skiptomyliu skiptomyliu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ryan-lane @skiptomyliu